Re: [Geoserver-users] Layer group not appearing in WMS GetCapabilities

[Joni Hämäläinen]

Hi,

Sorry to bother again with this, but does anyone have any insight on this layer 
group security issue? 
I would be happy with something, even just a confirmation if this is a feature 
or a bug?

Thanks and have a nice day.

BR,
Joni

On 2.3.2021, 11.54, "Joni Hämäläinen"  wrote:

Hi,

I am struggling, as I can't get a simple layer group to be visible in 
GetCapabilities response for unauthenticated users. 
I am fairly certain there is some issue/bug regarding data security and 
layer groups.

Similar problems have been posted by other users, but I don't see any real 
solutions in the answers:

https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/CADQ3-ytgSi7mF-ap9fukMWKF_hbKcqAPVYN%2BOWHa_NBm%2BxVOJw%40mail.gmail.com/#msg36625778
https://osgeo-org.atlassian.net/browse/GEOS-9376

Use case is to bundle few cascaded layers to a single group, that would be 
listed for a web app. Listing the layers naturally is done via GetCapabilities.

I have a workspace "example.com", which contains the cascaded store, the 
layers I want to group and the layer group itself.

I can see the layer group in the GetCapabilities when I am logged in to 
Geoserver. But making the same request from unauthenticated browser session 
results in that layer group disappear from the GetCapabilities document. All 
advertised "normal layers" in the same workspace list fine in GetCapabilities 
for both authenticated and unauthenticated users.
Result is the same with either SINGLE/OPAQUE CONTAINER/NAMED TREE setting 
for the layer group. (In the end I would like to set it as OPAQUE CONTAINER).

And note: I can make GetMap requests to the layer group, it works fine as 
it should be! The inconsistency is that it does not appear in the 
GetCapabilities.

I've come to conclusion that there is some inconsistency with the data 
security settings and layer groups, as eventually I can get the layer group 
appear in the GetCapablities for unauthenticated users. But this requires to 
relax security to level which I'm not comfortable with.

The starting point with security settings, that make the layer group NOT 
visible in the GetCapablities for unauthenticated users (but GetMap works):
*.*.r=ADMIN
*.*.w=GROUP_ADMIN,ADMIN
example.*.r=*
mode=HIDE

I tried adding "example..r=*", no luck.
I tried adding "example..r=*", no luck

Eventually I tried to remove the "ADMIN" requirement for read all, so the 
settings became:
*.*.r=*.
*.*.w=GROUP_ADMIN,ADMIN
example.*.r=*
mode=HIDE

And tada, the layer group appeared to the GetCapabilities document for 
unauthenticated users. 

But naturally I would not like to expose everything readable by default. 
And I am confused, because having the workspace read for everybody works with 
normal layers, as in they appear in GetCapabilities. But a simple layer group 
in the workspace is not included in the GetCapabilities.

I tried to go through the source code and even some test cases, but I 
couldn't find anything relevant to this with my limited knowledge of the code 
base.

Can anyone confirm, that there is a problem with this regarding layer 
groups appearing in GetCapabilities? Or is this an intended feature?
I feel it pretty strange, that I can happily make a GetMap request to this 
layer group, but it doesn't appear in the Capabilities.

Thank you very much for any feedback on this.

Best regards,
Joni



___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to 
this list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[Geoserver-users] Layer group not appearing in WMS GetCapabilities

[Joni Hämäläinen]

Hi,

I am struggling, as I can't get a simple layer group to be visible in 
GetCapabilities response for unauthenticated users. 
I am fairly certain there is some issue/bug regarding data security and layer 
groups.

Similar problems have been posted by other users, but I don't see any real 
solutions in the answers:
https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/CADQ3-ytgSi7mF-ap9fukMWKF_hbKcqAPVYN%2BOWHa_NBm%2BxVOJw%40mail.gmail.com/#msg36625778
https://osgeo-org.atlassian.net/browse/GEOS-9376

Use case is to bundle few cascaded layers to a single group, that would be 
listed for a web app. Listing the layers naturally is done via GetCapabilities.

I have a workspace "example.com", which contains the cascaded store, the layers 
I want to group and the layer group itself.

I can see the layer group in the GetCapabilities when I am logged in to 
Geoserver. But making the same request from unauthenticated browser session 
results in that layer group disappear from the GetCapabilities document. All 
advertised "normal layers" in the same workspace list fine in GetCapabilities 
for both authenticated and unauthenticated users.
Result is the same with either SINGLE/OPAQUE CONTAINER/NAMED TREE setting for 
the layer group. (In the end I would like to set it as OPAQUE CONTAINER).

And note: I can make GetMap requests to the layer group, it works fine as it 
should be! The inconsistency is that it does not appear in the GetCapabilities.

I've come to conclusion that there is some inconsistency with the data security 
settings and layer groups, as eventually I can get the layer group appear in 
the GetCapablities for unauthenticated users. But this requires to relax 
security to level which I'm not comfortable with.

The starting point with security settings, that make the layer group NOT 
visible in the GetCapablities for unauthenticated users (but GetMap works):
*.*.r=ADMIN
*.*.w=GROUP_ADMIN,ADMIN
example.*.r=*
mode=HIDE

I tried adding "example..r=*", no luck.
I tried adding "example..r=*", no luck

Eventually I tried to remove the "ADMIN" requirement for read all, so the 
settings became:
*.*.r=*.
*.*.w=GROUP_ADMIN,ADMIN
example.*.r=*
mode=HIDE

And tada, the layer group appeared to the GetCapabilities document for 
unauthenticated users. 

But naturally I would not like to expose everything readable by default. And I 
am confused, because having the workspace read for everybody works with normal 
layers, as in they appear in GetCapabilities. But a simple layer group in the 
workspace is not included in the GetCapabilities.

I tried to go through the source code and even some test cases, but I couldn't 
find anything relevant to this with my limited knowledge of the code base.

Can anyone confirm, that there is a problem with this regarding layer groups 
appearing in GetCapabilities? Or is this an intended feature?
I feel it pretty strange, that I can happily make a GetMap request to this 
layer group, but it doesn't appear in the Capabilities.

Thank you very much for any feedback on this.

Best regards,
Joni



___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users